Hello,
I upgraded Dovecot from version 2.3.21 to 2.4.0. In version 2.3.21, I encountered issues with OAuth2 authentication that had worked correctly in earlier releases. Specifically, the active_attribute check was failing, even though Keycloak was sending the active value as true. After upgrading to Dovecot 2.4.0, the active attribute is now validated successfully, and token introspection completes as expected. However, I am now encountering the following error:
2025-10-30 14:43:41.438 Oct 30 13:43:41 auth: Panic: file expansion-statement.c: line 30 (var_expand_execute_stmt): assertion failed: (value != NULL) 2025-10-30 14:43:41.444 Oct 30 13:43:41 auth-worker(354): Debug: conn unix:auth-worker (pid=113,uid=101): Disconnected: Connection closed (fd=-1) 2025-10-30 14:43:41.443 Oct 30 13:43:41 auth: Error: Raw backtrace: #0 test_subprocess_fork[0x7f03870fc510] -> #1 backtrace_append[0x7f03870fc7c0] -> #2 backtrace_get[0x7f03870fc960] -> #3 event_filter_match_iter_init[0x7f0387106bc0] -> #4 i_syslog_fatal_handler[0x7f0387106d00] -> #5 i_panic[0x7f0387033c8e] -> #6 [unw_get_proc_name() failed: -10] -> #7 var_expand_program_execute[0x7f0387070460] -> #8 settings_file_get[0x7f0387083550] -> #9 settings_parse_keyidx_value_nodup[0x7f0387085660] -> #10 settings_parse_keyidx_value_nodup[0x7f0387085d70] -> #11 settings_parse_keyidx_value_nodup[0x7f0387087180] -> #12 settings_get[0x7f03870877b0] -> #13 auth_worker_auth_request_new[0x558c60949050] -> #14 auth_worker_auth_request_new[0x558c609496e0] -> #15 oauth2_json_tree_build[0x7f03870432f0] -> #16 oauth2_json_tree_build[0x7f03870433d0] -> #17 oauth2_request_parse_json[0x7f03870435a0] -> #18 http_client_request_callback[0x7f0387091ee0] -> #19 http_client_connection_lost_peer[0x7f0387094850] -> #20 http_client_peer_connection_failure[0x7f038709a090] -> #21 io_loop_call_io[0x7f0387122780] -> #22 io_loop_handler_run_internal[0x7f0387123aa0] -> #23 io_loop_handler_run[0x7f0387123c40] -> #24 io_loop_run[0x7f0387123e40] -> #25 master_service_run[0x7f0387075720] -> #26 main[0x558c60931e80] -> #27 __libc_init_first[0x7f0386dc9150] -> #28 __libc_start_main[0x7f0386dc9200] -> #29 _start[0x558c609323d0]
Here is my current dovecot.conf.
dovecot_config_version = 2.4.0 dovecot_storage_version = 2.4.0
protocols = imap pop3 lmtp
auth_mechanisms { oauthbearer = yes xoauth2 = yes } oauth2 { introspection_url = https://client-name:client-key@iam.keyclock-url.com/auth/realms/realm-name/p... introspection_mode = post active_attribute = active active_value = true username_attribute = preferred_username } userdb static { fields { uid = vmail gid = vmail home = /home/vmail/%{user | domain}/%{user | username} } }
service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { mode = 0600 user = postfix group = postfix } } service auth { unix_listener /var/spool/postfix/private/auth { mode = 0666 user = postfix group = postfix } unix_listener auth-userdb { mode = 0600 user = vmail }
user = dovecot } service auth-worker { user = vmail }
log_debug = category=auth auth_verbose = yes auth_debug_passwords = yes
mail_driver = maildir mail_home = /home/vmail/%{user | domain}/%{user | username} mail_path = ~
ssl_server_cert_file = /etc/ssl/private/vmail.crt ssl_server_key_file = /etc/ssl/private/vmail.key ssl_server_dh_file = /etc/dovecot/dh.pem
mail_debug = yes
log_path = /dev/stdout info_log_path = /dev/stdout debug_log_path = /dev/stdout
Regards, Sukanya Morbale